Thu September 6, 2012

Why Your Cell Phone Could Be Called A 'Tracker'

Many people use cellphones for purposes other than making calls. "If we call them trackers, then we're doing a much better job of informing ourselves what these devices are actually doing, and what we're really using them for," says ProPublica investigative reporter Peter Maass.

Peter Maass, an investigative reporter with ProPublica, says "our cellphones are collecting a heck of a lot more information than we expect them to be collecting about us."

Alfred A. Knopf Inc.

Your cellphone is a tracking device collecting a lot more information about you than you may think, says ProPublica investigative reporter Peter Maass.

"They are collecting where we are — not just at one particular moment in the day, but at virtually every moment of the day," Maass tells Fresh Air's Dave Davies. "They are also taking note of what we are buying, how we're purchasing it, how often we're purchasing it."

Maass says cellphone companies collect some of this information — such as location data — to monitor patterns of phone use and ensure that their networks operate properly. But while some cellphone providers eventually delete this data, other providers retain it for essentially "indefinite periods of time," he says.

And because there aren't any federal laws on how long wireless providers can retain information, wireless providers may "do as they wish," Maass says.

He calls the information "potentially a gold mine of data-mining information."

"When you know where somebody is, what they're doing, how long you're there for — that could be commercially useful, if not for the cellphone company, at least to other third-party companies who have things to sell," Maass says.

Cell data is also very useful to law enforcement during the course of an investigation and, Maass says, not difficult to access. A report released in July by Rep. Ed Markey, D-Mass., revealed that wireless carriers responded to more than 1.3 million cell data requests from law enforcement in 2011.

"Back in the day with landlines, [there] were pretty clear, pretty strict laws about what the police could access, when it could access it, and what sort of judicial oversight was required," he says. "These days, because cellphone technology in particular and the data it produces is relatively new and so abundant, the law hasn't really kept up with it, so law enforcement is really not faced with as many limits as it used to be."

Maass says regulators at the Federal Trade Commission do not have as much authority or impact as European regulators do — not because they don't wish to uncover privacy violations, but because of a lack of relevant, up-to-date laws and inadequate funding.

While people can reduce the amount of cellphone tracking by not using location applications and turning off their cellphones, Maass says, there is only one way to prevent a cellphone from collecting information: "The answer, pretty much, is don't use a cellphone at all."

Interview Highlights

On the outsourcing of technology regulation to Europe

"This is one of the very useful aspects of the global nature of Web use. For example, Facebook, of course, has about 900 million customers, and a huge number of those quite obviously are not in the United States. Now, when European regulators ask Facebook to make a change, or levy a fine against Facebook — and I'm just using Facebook as an example here. Facebook tends to apply all these changes, positive changes, to all of its customers.

"So the advantage of this — in a way, it's outsourcing regulation — is when a European regulator gets a major technology company, and most of the major ones are American — we're talking about Google, we're talking about Facebook, Twitter, etc. — when European regulators ask them to make a change, those changes are applied in most cases to all of the technology companies' clients, including those in the United States.

"So we here in America benefit when a European regulator leans for privacy purposes on an American company. And that's one way these days our privacy is protected, because it's not just the federal government, which has its hands obviously quite full, but also European regulators who have influence over American companies. ...

"And there are not the same kinds of concerns as there are in Europe — for example, how is this going to affect Google's bottom line? — as there might be in America among Washington politicians and other folks who do need to be aware of America's, who are aware of America's competitive position and do take that into consideration."

On how privacy violations in the U.S. were discovered by European regulators

"The best example is Google Street View. ... In America there was some opposition to Google taking pictures of everyone's house, but basically the program went ahead fine. ... Google said, 'Don't worry, we're just taking pictures of houses, it's not [a] big deal, we're not downloading any data.'

"In Europe, where there's much more recent history in the 20th century of abuses of personal information, there was a lot more opposition, because people were saying, 'Wait a minute, what are you doing? Do you really have the right to take pictures of our houses? Is that all you're doing with these fancy cars that have all this machinery in them?' And there was a data commissioner — or data protection officer — in Hamburg [Germany] who insisted that Google let him — his office — inspect the hard drive of one of these cars to make sure that all it was doing was taking pictures, and, to make a long story short, what he found out was that Google wasn't just taking pictures. Google was also downloading data from open Wi-Fi networks as its cars went down these streets, and Google had said it wasn't doing this. ... Now, Google had also been doing this in the United States, but American authorities had not really pushed Google to the wall enough on what its cars were doing. ...

"Now, this is the kind of thing one would ideally want our own regulators to be aware of and to have surfaced and punished Google for if indeed this was a privacy violation. But, in fact, it was European authorities who really led the way on this, and I talked with officials at the FTC and they admitted, yes, the Europeans were the ones who found out Google was downloading personal data, not them. And one of the reasons why is European authorities have a bit more authority in some important cases, in important areas, than American authorities do. There are folks in the FTC who are real privacy hounds, who come from the privacy sphere, but they don't have necessarily the funding and they don't necessarily have the authority to get the information and to do what they might like to do in a more ideal situation."

On why we should call our cellphones "trackers"

"We think they should be called trackers because we're no longer using them as phones. There was a study done by a British cellphone carrier quite recently, which asked smartphone users, 'What are you actually using these devices for?' And making phone calls was actually the fifth most popular thing that smartphones are being used for. More popular was checking your email, checking your social media, listening to music, playing games, things of that sort. So phoning people on your smartphone is really not what most of us are using these devices for, so it's not accurate, in a way, to refer to them as phones, when what we're using them for are things other than making phone calls.

"But, more important than that, in some ways, is our understanding of what these things are. When we call them phones, we think of them as phones. This is the whole idea of framing. In politics, if you call something a death panel, that influences what people think about it. If you call something Obamacare, that influences what people think about it, positively or negatively. So with these smartphones, given that they do so much tracking, in the sense of, 'We're keeping track of our lives, we're keeping track of the news, we're keeping track of our friends, and corporate and government entities are keeping track of us,' if we call them trackers, then we're doing a much better job of informing ourselves what these devices are actually doing, and what we're really using them for."

Copyright 2012 National Public Radio. To see more, visit http://www.npr.org/.

Transcript

TERRY GROSS, HOST:

We're constantly discovering new uses for our smartphones. We write texts and emails, follow maps, order clothes and food, surf the Internet and, of course, make calls. But while we're doing all of this, our phone carriers are gathering enormous amounts of information about us.

Our guest, reporter Peter Maass, says we should be thinking more about what they're doing with that information. Maass wrote in The New York Times in July that the device in your purse or jeans that you think is a cellphone is really a tracking device that happens to make calls. He suggests we stop calling them phones and call them trackers.

Cellphone carriers are holding on to all the information collected in smart phones, including text messages and locations. And it was reported this summer that last year cellphone carriers responded to more than a million requests for information from law enforcement agencies.

Peter Maass has been reporting on issues of technology and privacy for the investigative reporting nonprofit ProPublica. He spoke with FRESH AIR contributor Dave Davies.

DAVE DAVIES, HOST:

Peter Maass, welcome back to FRESH AIR. What kind of information are our cellphones collecting about us?

PETER MAASS: Our cellphones are collecting a heck of a lot more information than we expect them to be collecting about us. They are collecting where we are - not just at one particular moment in the day, but at virtually every moment of the day. This is location information that the cellphone carriers collect and most importantly retain for sometimes quite long periods of time. They are also taking note of what we are buying, how we are purchasing it, how often we are purchasing it. That's just kind of a starting point of the sorts of various sensitive, very important things that these phones take note of - including, I should add, and this is very important, our text messages.

DAVIES: Right. And when we're talking about location information, we're talking about not just where we were when we were on the phone talking or texting, but where we were all the time? Is that right?

MAASS: Yes. As a matter of just kind of their networks operating properly, they need to kind of check to make sure we're people's phones are. So basically through either GPS tracking or through triangulation of the cellphone towers, they are at different intervals depending on which phone company we're talking about, depending on where your location is, they are checking to see where you are and they are recording this information and they do hold on to it. That's very important information for them to have.

DAVIES: And retain for some period of time?

MAASS: It depends on your provider. Some providers keep for an indefinite period of time. Some providers do delete it or say they delete it. But the thing is that they really are able to do as they wish because there are no rules, federal rules, federal laws on how long they can or should retain this information for. And the thing is that for them it's useful information technologically understandably because they need to know kind of what the patterns of phone use are so that if they need to build more towers in a particular place they know how many to build, things of that sort. But it's also potentially a gold mine of data mining information.

When you know when and where somebody is, what they're doing, how long they are there for, that could be commercially useful if not to the cellphone company, at least two other third-party companies that have things to sell. In addition to which this is all very useful to law enforcement because if they are investigating somebody or something and they need to find out where they were, they can get that information from the cellphone companies.

DAVIES: Now for a long time we've known that law enforcement will go to the phone company when they're doing an investigation. If someone is a suspect in a murder case they'll pull phone records and see who they've been talking to frequently for leads and valuable information. Does that now extend widely to geo-tracking information? Are they going to these cellphone companies to find out where we are?

MAASS: Absolutely. And that's one of the, you know, innovations that cellphones offer because previously when it was just landlines were talking about well, you know, you know where somebody is when you're calling from a landline because you know where that landline is. But now because people are calling from all sorts of locations, wherever they happen to be with their cellphones, police can find out where you are at the moment that you are calling even if it's not your home where the landline is or the office where your landline is. And if you're investigating whatever it is, a robbery, burglary, particularly things like kidnappings, of course, this is vital and really important information that they want to take advantage of and it has become - and this is kind of particularly important here - it has become particularly easy for them to access this information.

Because back in the day with landlines, there were pretty clear, pretty strict laws about what the police could access, when it could access it and what sort of judicial oversight was required. These days, because cellphone location technology in particular and the data that, you know, it produces is relatively new and so abundant the law hasn't really kept up with it. So law enforcement is really not faced with as many limits as they used to be and so they are availing themselves quite freely, it appears, in modest amounts, to get a hold of this information pretty much at the drop of the hat.

DAVIES: In general, is it believed that there's a different legal standard for a case where the police are actually wanting to listen to conversations, you know, or get the actual content of conversations as opposed to simply find out where you are? Is it clear that there is a different legal standard for those two kinds of information?

MAASS: Well, what you're talking about there is wiretapping, and there is kind of long established, very firm laws about what police need to do, what evidence they need to have, what kind of judicial approval needs to be assembled in order for that to happen. Whether you're doing that sort of wiretapping on a landline or a cell phone, it is my understanding that the same long established rules apply.

The twist these days is that it's not as important to know what somebody is saying on a phone. What's very important these days and very useful these days and much easier to get is where they were when they were making the call - who they were calling, how often they were calling, where they moved to while they were calling.

These things, for an investigator, turn out to be extremely important. So that what you're actually saying on the phone isn't as important as where you were when you were saying it and who you were saying it to. And law enforcement knows who you were saying it to because they know not only where you call from but also the number you are calling to.

DAVIES: If you wanted to find out, will your cell phone company tell you what they're doing with your data?

MAASS: You know, this is one of the marvelous things that we found out. I should say in particular my colleague, Megha Rajagopalan, found out. Megha contacted her carrier and then other people at ProPublica contacted their carriers, the different carriers, and everybody asked the same question. Could we please have our location information?

And the answer from every single one of these companies was no, you certainly cannot. So the bottom line is, they will provide that information to law enforcement. They may now or they may at some point in the future provide that information to companies that pay for it. At this moment they will not provide that information to you.

DAVIES: If you don't want to be tracked, is there anything you can do? Are there settings you can adjust or anything?

MAASS: Are there ways that you can limit the information that is collected on you? Sure. There are. Some of them are actually quite easy. You know, you cannot use the location apps. That will reduce the amount of location information that is provided to companies that control the apps.

You can turn off your cell phone, but you know, it is possible for malware to be used against you that indicates your cell phone is turned off whereas in fact it's not. So it's still pinging your information around. But if the question is, you know, how do we stop tracking from occurring on us with our cell phones, the answer pretty much is, don't use a cell phone at all.

DAVIES: Well, Peter, you've recently written about the Federal Trade Commission and the challenges it faces in privacy regulation, and one of the points you make is that a lot of the valuable information that is revealed about the way companies may be violating our privacy has come not from federal investigators but from other places. You want to give us an example and tell us about it?

MAASS: Sure. I think the best example and the most kind of well known one is Google Street View. And this is, of course, the application, the program that most people are familiar with, where Google has kind of gone around America and gone around some parts of the world, particularly Europe, and taken pictures of every street.

And so if you plug in an address into your browser you can get a picture of the street. Now, in America there is some opposition to Google taking pictures of everybody's house, but basically the program went ahead and everything was kind of copasetic with that and Google said don't worry, we're just taking pictures of houses. It's not a big deal. We're not downloading any data or anything like that.

In Europe, where there was a much more recent history, in the 20th century, of abuses of personal information, there was a lot more opposition because people were saying, wait a minute, what are you doing? Do you really have the right to take pictures of our houses? Is that all you're doing with these fancy cars that have all this machinery in them?

And there was a data commissioner, a data protection officer, in Hamburg who basically insisted that Google let his office inspect the hard drive of one of these cars to make sure that all it was doing was taking pictures. And to make a long story short, what he found out was that Google wasn't just taking pictures. Google was also downloading data from open Wi-Fi networks as its cars went down these streets.

And Google had said it wasn't doing this. Now, Google had also been doing this in the United States but American authorities had not pushed Google to the wall enough on what its cars were really doing. It was a German official who basically pushed Google to the wall and got it to admit that it wasn't just taking pictures, that it was also downloading data, some of it private.

And Google is in a lot of hot water now with American authorities, but much more so with European authorities over what the Europeans particularly regard as gross violations of privacy in its Street View program. Now, this is the kind of thing that, you know, one would ideally want our own regulators to have been aware of and to have kind of surfaced and punished Google for if indeed this is a privacy violation.

But in fact it was European authorities who really kind of led the way on this. And one of the reasons why is because European authorities have a bit more authority in some important cases and some important areas than the American authorities do. There are folks at the FTC who are real privacy hounds who come from the privacy sphere, but they don't have necessarily the funding and they don't have necessarily the authority to get the information and to do what they might like to do in a more ideal situation.

DAVIES: Now, just to be clear about this, what Google was doing was going down the street and sweeping data from people's personal Wi-Fi networks, meaning potentially passwords and other personal information?

MAASS: Anything that was flowing over an open Wi-Fi network as the Google Street View cars were driving past was downloaded by the Street View cars. Since they were moving from any one particular Wi-Fi network, unless the car happened to be stopped at a traffic light, most of the information that was downloaded was somewhat fragmentary, because they'd be in the Wi-Fi network and then, because they're moving, they'd be out of it.

But in that information there were passwords and there was more than passwords. There was partial financial information and there was more personal information than that as well. So anything that was going over one of these open Wi-Fi networks, whether it was passwords, whether it was a note to a loved one, whether it was financial information, the Google Street View cars could have, and in some cases did, capture.

DAVIES: We're speaking with investigative reporter Peter Maass. We'll talk more after a break. This is FRESH AIR.

(SOUNDBITE OF MUSIC)

DAVIES: If you're just joining us, we're speaking with investigative reporter Peter Maass. He writes for ProPublica, where he and his colleague, Megha Rajagopalan, have done some research on digital privacy issues, in particular how law enforcement are getting information from cell phones.

Now, in your assessment of the Federal Trade Commission, the FTC, and its efforts in this area, I mean it's clear that they seem to be less effective than they are in Europe, and you make the point it's not because, as is sometimes the case with government regulators, the regulators are too close to the industry that they regulate. There are people of goodwill trying to do a good job here, right?

MAASS: Absolutely. At the FTC in the last couple of years under the Obama-era chairman, Jon Leibowitz, there's been a lot of really top tier privacy talent recruited to the agency. The problem is that they don't have as much authority as, in some cases, for example, European regulators have.

Because since the - really since the Reagan era, not just in terms of funding but also in terms of, you know, regulations, what the regulators are allowed and encouraged to do, it's declined in many cases. So they don't have as much manpower to regulate as they did before the Reagan era and the whole kind of government move against - or political move, I should say, against regulation.

And then they don't have as much kind of authority. I mean, there are no privacy laws that are really written for most of the privacy violations that occur today, because we're talking, you know, stuff and technology that has developed just in the last decade or so that has been widely deployed only in some cases in the last couple of years. And the law hasn't kept up with it.

And it's difficult, one has to admit, for the law to keep up with it because the technology changes so quickly. So even if you write a law today to protect, you know, our privacy on, let's say, Web browsers on our laptops, well, more and more of us are using mobile phones to browse the Web than laptops. So you've got kind of apply things to this different technology.

So it is very difficult for the law to keep up with these areas and because of, you know, Congress may not be as efficient as it used to be in terms of passing law, they're not getting passed as much as perhaps one would want in order for actual guidelines, rules of the road, to exist for federal regulators to enforce.

DAVIES: You've written that the Europeans have been more aggressive in pursuing digital privacy issues than American regulators. When they have some success in this area, does that affect policy in the United States and regulation here as well?

MAASS: Well, this is one of the very useful aspects of kind of, you know, the global nature of Web use. For example, Facebook, of course, has about 900 million customers, and a huge number of those, quite obviously, are not in the United States. Now, when the European regulators ask Facebook to make a change or levy a fine against Facebook - and I'm just using Facebook as an example here - Facebook tends to apply all of these changes, positive changes, to all of its customers.

So the advantage of kind of this, you know, in a way it's outsourcing the regulation, is that when a European regulator gets a major technology company, and most of the major ones are American - we're talking about Google, we're talking about Facebook, Twitter, etc. - when European regulators ask them to make a change, those changes are applied in most cases to all of the technology company's clients, including those in the United States.

So we here in America benefit when a European regulator leans for privacy purposes on an American company. And that's one way in which our privacy is these days protected. Because it's not just the federal government, which has its hands obviously quite full, but also European regulators who have influence over American companies.

And there's an argument that actually the European regulators in some respects have more power or will use their power more willingly against American companies, because these are American companies that the Europeans are moving against, not European companies, and there are not the same kinds of concerns in Europe, for example, how is this going to affect Google's bottom line, as there might be in America amongst Washington politicians and other folks who do need to be aware of America's and who are aware of America's competitive position and do that that into consideration.

Nobody wants to shut down Google. Europeans don't necessarily want to shut down Google, but they're less concerned about Google's bottom line in Europe than they are in America.

DAVIES: Well, Peter Maass, thanks so much for speaking with us.

MAASS: Thank you.

GROSS: Peter Maass spoke with FRESH AIR contributor Dave Davies. Maass is a reporter for ProPublica. You'll find a link to his article about why cell phones are really tracking devices on our website, freshair.npr.org, where you can also download podcasts of our show. Transcript provided by NPR, Copyright National Public Radio.